Booking.com partner accommodation phishing campaign targeting Japan
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is targeting Booking.com partner accommodations in Japan with guest-complaint and review-request lures that deliver malicious files for TONResolver installation. The operation matters because the payload can establish a foothold for command execution and possible credential theft. The same activity also reached partner accommodations in multiple other countries, showing broader campaign continuity.
Related Happenings
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
How related:
Within the ZIP file lied a shortcut link file (LNK) disguised as a photo file that led to the installation of TrojanSpy.JS.TONRESOLVER.A – a malware implant functioning as a remote access trojan (RAT), that TrendAI researchers also refer to simply as TONResolver – via a PowerShell script.
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityHow related: Within the ZIP file lied a shortcut link file (LNK) disguised as a photo file that led to the installation of TrojanSpy.JS.TONRESOLVER.A – a malware implant functioning as a remote access trojan (RAT), that TrendAI researchers also refer to simply as TONResolver – via a PowerShell script.
About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
Ghost Stadium FIFA World Cup fraud campaign
Campaign
H score41
First: 27.05.2026 14:28
Last: 27.05.2026 14:28
Sources 1
About this happening:
A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...
Ghost Stadium FIFA World Cup fraud campaign
CampaignAbout this happening: A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
H score82
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Global HYIP scam campaign using fake investment sites and social media
Campaign
H score47
First: 02.02.2026 17:34
Last: 02.02.2026 17:34
Sources 1
About this happening:
A **global HYIP scam campaign** is using **4,200+ fake investment websites** and **social-media promotion** to solicit deposits, creating sustained fraud risk for investors and ma...
Global HYIP scam campaign using fake investment sites and social media
CampaignAbout this happening: A **global HYIP scam campaign** is using **4,200+ fake investment websites** and **social-media promotion** to solicit deposits, creating sustained fraud risk for investors and ma...
Albiriox Austrian-targeting distribution campaign
Campaign
H score33
First: 01.12.2025 10:45
Last: 01.12.2025 10:45
Sources 1
About this happening:
The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Albiriox Austrian-targeting distribution campaign
CampaignAbout this happening: The **Albiriox** distribution campaign targeted **Austrian victims**, using **German-language SMS lures** and fake **Google Play Store** listings to deliver a dropper APK and enab...
Timeline
-
30.06.2026 13:30 2 articles · 3h ago
Booking.com partner accommodations in Japan targeted with TONResolver phishing emails
Initial DisclosureTrendAI Research detected phishing emails sent to Booking.com partner accommodations in Japan that impersonated guest complaints and review requests, used a Japanese subject line such as “Important: Guest Stay Review Request,” and delivered TONResolver through a ZIP/LNK chain executed via PowerShell. The malware uses the TON blockchain as a dead drop resolver, is packaged as a Node.js application with VM-based obfuscation, and establishes a persistent keepalive connection for follow-on command execution and possible credential theft; related emails also reached Booking.com partners in other countries.
Show sources
- Hackers Leverage Blockchain to Hit Japan's Hotels Through Booking.com Phishing — www.infosecurity-magazine.com — 30.06.2026 13:30
- Hackers Leverage Blockchain to Hit Japan's Hotels Through Booking.com Phishing — www.infosecurity-magazine.com — 30.06.2026 13:30